Wireless Network Policy

To understand the need for a policy that prescribes a centrally managed wireless network,
it is helpful to understand some of the premises and principles that guide Webster
University in constructing and operating an enterprise-wide wired network. These policies
will be logically extended to wireless networking for some very compelling technical
and operational realities.

Note: The following information was borrowed with permission from the University of Kansas.
It has been extensively adapted to reflect Webster University's unique environment
and current situation relative to wired and wireless networking. Definitions of technical terms used in this article are provided at the end of the page.

The Enterprise Wired Network at Webster University

Economy derives from controlling the total cost of ownership to Webster University
by reducing the total number of separate and distinct systems required to service
all the diverse information transport needs. Coordinated standardized purchases, and
coordinated infrastructure maintenance creates a synergy that increases buying power
and decreases labor costs. Economy also derives from providing one ubiquitous and
uniform network so that connectivity is provided everywhere at anytime. Last but not
least, economy derives from adopting standards for network infrastructure construction,
standards for network protocols, and network acceptable use.

An aggregation of separate, discrete, and departmentally-managed networks or extended
site-managed networks would not constitute an infrastructure that can meet institutional
goals in terms of its effectiveness nor would it provide for the best and most efficient
return on Webster University's investment. In many cases it may appear that a department
or extended site can build an internal network that costs less and is more effective
in meeting the unique need of that particular department. However, when many or all
departments/sites build and run their own private networks, the expense is far greater
than when one centrally administered network is constructed.

Enterprise class networks on the other hand, by definition, provide for the most reliability,
capability and security for the least cost to the institution as a whole. Webster
University has therefore adopted the premise that institution wide enterprise telecommunication
networks are the most effective way to provide for its information access and transport
needs.

Enterprise level networks require a high level of coordination in planning, management
and maintenance to ensure the reliability and the integrity of the information services
they support. One proven way to provide for this coordination is through central administration
and management. Through central administration and management, Webster University
also ensures that the resource itself is constructed and operated in an integrated,
cost-efficient and effective manner. It is only through centrally coordinated information
technology strategic planning and implementation that the core technology goals of
the institution are met.

A major component of implementing an enterprise class network is the adoption of a
uniform set of components, installation practices, and operational criteria in the
construction, use and ongoing management of its enterprise networks. This is the common
method used by universities to prescribe a uniform set of standards in components,
construction practices, and usage rules, is to create and adopt a institutional level
policy.

Extension of an Enterprise Wired Network Policy into the Wireless Implementations

The utility of wireless network technology can have a positive effect on teaching,
learning, and administration. Webster University has now concluded that wireless network
technology has advanced to the degree such that an institution wide approach to their
construction and operation should be adopted. For the same reasons Webster University
has adopted the practice/policy that centrally managed enterprise wired networks are
the most effective way to provide its constituency with reliable, capable, secure
and economical wired connectivity, Webster University is now extending that notion
to its wireless network space and implementation.

One consequence of the decision to view wireless as a University resource rather than
a department or site resource, is the realization that wireless local area networks,
when connected to Webster University wired network, are an extension of the enterprise
University wired network to which they are connected. This means that all University
policies concerning Webster University enterprise wired network also should apply
to wireless connections.

It is required therefore, that all end-user devices providing wireless access, or
end-user systems connecting to the wireless enterprise network distribution infrastructure
should comply with the same policies, procedures, and practices governing the use
and operation of any end user device or system connecting to Webster University enterprise
wired network.

A second realization is that a decision on whether to allow private wireless systems
(departmentally, site, or individually owned/managed systems) to exist or not needs
to be made. After much discussion on the pros and cons of this approach, the decision
is that no private wireless networks are to be allowed at Webster University, either
on main campus or at extended domestic sites. (Some latitude will be allowed for international
extended sites, although a high degree of coordination will be required.)

Just as for enterprise wired networks, the creation of an enterprise level wireless
data network require the adoption of a uniform set of components, installation practices,
processes, procedures and operational criteria. Just as for Webster's enterprise wired
networks, a central management entity is designated to insure uniformity. Therefore,
a central entity should be responsible for establishing and maintaining standards
for 802.11x wireless access points (equipment and installation) for use at Webster
University across all locations. Additionally, all WLAN systems should be installed,
configured and managed by a central entity, just as all wired networking components
are installed, configured, and managed by a central entity.

Challenges Of Wireless Networks

Additionally, wireless presents its own unique challenges as we try to provide for
reliability, capability, security and economy. These challenges relate to spectrum
allocation, interoperability, security, and overall network performance.

Spectrum Allocation

802.11x wireless LAN technology operates in an unlicensed portion of the electromagnetic
spectrum. This means that the FCC has no role in preventing interference caused by
interference deriving from other users of 802.11x technologies or from the myriad
of other devices designed to operate in this spectrum. Well known conflicts in the
802.11b and 802.11g 2.4ghz spectrum include 2.4GHz cordless phones, and even some
older makes of microwave ovens. Furthermore, some laboratory equipment operating within
the same frequency range may also cause interference. Other wireless technology such
as Bluetooth, also uses the 2.4GHz range, another potential source of conflict. The
802.11b technology operates in the 5ghz band and also may interfere or be interfered
with with/by numerous other consumer wireless technologies.

For Webster University, this interference can have a detrimental impact on the utility
of 802.11x technologies as more wireless devices are deployed.

For example, what would happen if two departments each installed an access point (AP)
in two adjacent areas of one physical location? And, to provide better coverage, one
department also installed an antenna that boosted the signal strength of one of their
AP. This would probably result in both departments not enjoying much in the way of
wireless access since the RF signals from one AP would most likely interfere with
those of the other.

There is great potential for the proliferation of wireless communications products
(not just wireless data networks) in the next few years. The resulting likelihood
of interference between such devices and services using the wireless communications
spectrum make it essential that wireless activities across the university be centrally
coordinated. This is particularly important in "public" areas, or in buildings which
house multiple departments or organizations, where several groups may have an interest
in using or even providing wireless service. The shared spectrum of wireless technology
does not allow for an unlimited number of these devices to be placed into service
and requires coordination in order to maximize this technology's potential for Webster
University as a whole.

As the number of wireless communications devices increase, so does the potential for
channel interference. To avoid spectrum conflicts and to maximize the efficient utilization
of this scarce resource in supporting Webster University's mission, central coordination
in the use of this unlicensed spectrum by Webster University constituency is essential.
For this reason, we have a central authority (The NTS department of IT) that both
authorizes and monitors the use of frequencies (in much the same way that Webster's
IP address space is currently assigned and controlled). To decrease the potential
for interference and to maximize the effectiveness and efficiency in the use by Webster
University of the wireless spectrum, the following operational principles are adopted:

Within its geographic/building boundaries, unlicensed spectrums should be viewed as
being "owned" by Webster University and use of the spectrums should be coordinated
centrally

No wireless implementation should be placed into operation without advance consultation
and coordination with Networking and Technical Services of IT

All WLANs will be operated in such a manner that they do not interfere with other
WLANs or Webster University's enterprise wired data network

Networking and Technical Services will resolve and manage frequency coordination.
However, it must be noted that the central entity cannot guarantee interference-free
operation of any WLAN from other unknown or non-university WLAN systems or from other
devices operating in the same unlicensed spectrum as the WLAN.

Interoperability

To allow devices, networks and systems to communicate with each other, all must use
common language. To promote the idea of a common language, information systems rely
on the concept of standards. In information systems, standards relate to adherence
common hardware and software. To maximize the ability of systems to be interoperable,
institutions can issue a list of standards that must be adhered to and/or delegate
the responsibility of choosing, implementing, and managing a standard to central coordination
entity.

Most institutions find that the skill sets of central entity allows for a focus on
technology in a way that exceeds the ability of any individual department/site to
maintain over time. A central entity can devote its entire time as its central mission,
whereby individual department most of the time cannot afford the ongoing resource
commitment.

For wireless, even with the existence of standards, compatibility and seamlessness
would be enhanced by a uniform set of equipment being deployed. Networking and Technical
Services has working relationships with several vendors with proven high quality networking
products, whose products have proven ability to interoperate with each other, and
with whom we can be assured of reliable technical support to work out unforeseeable
issues. Incompatibilities between vendor specific standards and implementations can
be minimized, as will the "finger pointing" between competing vendors. Utilizing a
standard set of equipment will ensure a seamless network as wireless connectivity
grows, as well as consistent management of devices across the multiplicity of main
campus buildings and extended campus sites.

Additionally, since 802.11x wireless devices and systems extend Webster University's
enterprise wired environment, these devices and systems can have a detrimental impact
the performance and/or integrity of Webster University's wired networks. To provide
for interoperability between the wired and wireless networks therefore, wireless must
not only adopt interoperability standards in the wireless space but also be made compatible
with the wired space.

To achieve the notion of one interoperable enterprise wireless network system, the
following operating policies/principles can be seen as important:

That all WLAN systems should be considered University systems

That a central entity should be responsible for establishing and maintaining standards
for 802.11x wireless access points (equipment and installation) for use across Webster
University, and that any WLAN component will be placed into operation only by the
Networking and Technical Services department of central IT (or with their coordination
and instructions),

That all WLAN components and systems should be installed, configured and managed by
Networking and Technical Services (with some latitude for international sites).

Security

At this time, "out-of-the-box" 802.11x technology is inherently insecure. Security
mechanisms built into the wireless access point provide very little in the way of
preventing unauthorized access and protection of the data being transmitted from unauthorized
access. Attention to security is a priority within Webster University Information
Technology. Protection against unauthorized access to sensitive institutional data
includes securing the network itself. Security concerns related to the adoption of
wireless networking technologies far outweigh all other aspects of the 802.11x environment,
including those of convenience and access.

Unlike switched wired networks, wireless transmissions are much more easily intercepted
by network hackers (infiltrators). Sensitive clear text information such as passwords
to enterprise systems, credit card numbers and e-mail can be easily "sniffed" and
abused. Even more troubling is the problem of a session being hijacked. It is possible
to intercept a user's wireless conversation with a server and then to masquerade either
as the user, or as the server to which the user thinks he is dialoguing. For example,
you perform a wireless login onto e-Bay and your login is intercepted by a rogue server
that emulates e-Bay. You provide your credit-card number and, viola, your purchases
are mailed elsewhere but the bill gets charged to your credit card.

To avoid these problems it is important to implement a mechanism whereby wireless
users must identify and authenticate before access is granted and to encrypt wireless
transmissions.

Authentication

To protect Webster's network resources, access to the Webster wireless network is
restricted to members of the campus community who have a valid Connections ID and
password.

The Webster wireless network will use a web-based authentication scheme to authenticate
a wireless session via a Connections ID and password. Users will open an SSL-enabled web browser to any page, and will be
redirected to the Webster Wireless Network login page, where they will need to enter
their Connections ID and password. If authenticated, the user will be redirected to
their original web page. This method has the advantage of not requiring additional
client software or firmware upgrades (most everyone has a web browser available),
nor is it vendor-specific.

Encryption

The 802.11x security standard, WEP (Wired Equivalent Privacy), has been proven to
have inherent flaws that render it largely useless, particularly for large-scale enterprise
level deployment. WEP relies on a shared key (password) between the access point and
the client for encryption/decryption. Unfortunately, this is usually a single key
which all prospective users must share, which means that the password is no longer
very private and when one loses the key (shared/lost to an unauthorized user), a new
key must be re-issued to all authorized users. Even when WEP is available, users very
often deliberately fail to turn it on because it makes both setup and long-term management
of the wireless network more difficult.

Some vendors (e.g., Cisco and Lucent) have recently announced 'dynamic' WEP algorithms
that dynamically allocate keys on a per-user, per-session basis. However, these schemes
are vendor-specific, so they won't interoperate with other vendor's client cards.

The industry is continuously working on newer and better encryption mechanisms and
the hope is that at least one of these will emerge as a standard. When one does Webster
University will adopt it as appropriate.

In order to effect the wireless authentication and encryption, the following principles
are being put into practice:

All wireless network access should utilize the enterprise authentication via Connections
ID and the authorization and encryption mechanisms prescribed by IT.

The Webster University WLAN system will provide for this option during the initial
user authentication process.

Performance

There is an unprecedented amount of research ongoing in the wireless industry today.
New compression algorithms, protocols and modulation techniques promise to revolutionize
wireless and allow speeds that rival wired systems. For now however, 802.11x technology
is a shared bandwidth technology running at speeds at or even below those of 10 year
old 1st generation shared Ethernet hubs. As such, advanced network applications that
rely on appropriately configured switched electronic network architecture and/or high
bandwidth will not effectively work in a wireless environment.

There's no way any wireless infrastructure will perform like a 100Mbps switched wired
network, and this will become critical in classrooms for any serious amount of data
transfer (especially any multimedia applications). The idea that wireless equals wired
in terms of performance, especially in the density of people and usage of a classroom,
is simply still a pipedream. It may seem that capacity is not an issue when the experience
is related to a home DSL connection or printing to a network printer, but that's not
the same as an entire class attempting to watch a video or collaborate with data.
If you plan on using computers in the classroom, and are doing more than sporadic
access to the Internet, you need a wired infrastructure in the rooms. Many universities
have learned this lesson and are now advocating and planning to rewire rooms that
were thought would be "just fine" with wireless.

Some institutions bet the farm and opted for a wireless environment in an effort to
avoid costly wiring strategies. These institutions are now undergoing the pain and
expense of ripping out their wireless infrastructure and replacing it with a wired
one. Wireless is currently a supplement for wired technology and while extremely useful
and convenient for access to some applications, especially where mobility is required,
it has some extreme limitations. The absolute worst application is in the classroom
when large numbers of users desire to access the network simultaneously.

Wireless LANs therefore cannot considered to be a replacement for a well-wired campus
since WLAN technology has not developed to the point of being equal in performance
to that of a wired environment or being capable of enabling advanced network applications.
WLANs are best suited for applications or environments where mobility or un-tethered
network connectivity is a major requirement, and where performance and security are
less of a concern. Thus, wireless networks are viewed as a supplement only to Webster
University's enterprise data network, enabling it to be accessed by general purpose,
security insensitive applications in zones of transient public use.

Caveats to the Developing Webster Wireless Policy and Implementation

Some departments or units have already installed WLAN equipment (e.g., Apple Airport
base stations, Linksys, Belkin, d-Link, etc). These wireless projects have no common
goal or cooperative effort involved, yet are connected to the campus network; the
same infrastructure which supports university business, teaching and research. This
lack of coordinated effort and a university-wide standard with regards to wireless
technology is having a direct and negative effect on the campus wired network and
network attached resources, especially insofar as security is concerned.

Therefore, if any department/site installed equipment exists, Webster University through
its central IT organization will claim the right of 'eminent domain' and ask that
the local equipment be removed.

Note: Any local wireless equipment that is not connected to the Webster University wired
enterprise network must still be registered with Networking and Technical Services
for airspace control reasons but may not necessarily need to comply with component
standards.

Wireless-Related Definitions

Access Point (AP)

The WLAN "base station" that provides the interface between Wireless User Devices
and Webster University public wired data network

Advanced Network Applications

Any of a number of recently developed high value Information Technology applications
such as those requiring IP Multicast, Quality of Service or substantial bandwidth
for their operation, for example video, voice-over IP, and multimedia web browser
access

Bluetooth

An IEEE wireless data networking standard (802.15.2) operating in the 2.4 GHz unlicensed
frequency band, designed to use less power over shorter ranges than the IEEE 802.11
WLAN technologies. It was designed to eliminate cabling on the desktop (e.g. a mouse
or keyboard cable)

General Purpose Applications

Any of a number of legacy Information Technology applications such as email or low
level web browsing not requiring advanced networking capabilities or high bandwidth
for their operation

IEEE 802.11a/b/g

Standards for providing wireless Ethernet connectivity

MAC Authentication

A method of providing User Authentication on WLANs by using the Media Access Control
(MAC) address of the network interface card (NIC). When using MAC Authentication,
a Wireless Device may not communicate with an Access Point unless the MAC address
of the Wireless Device is first registered in a table contained in the AP.

Radio Frequency (RF)

A portion of the electromagnetic spectrum

Service Set Identifiers (SSID)

An identifier of up to 32 characters used in IEEE 802.11 devices in an effort to ensure
only authorized personnel access the data network

Strong Security

A strategy by which a system limits uncontrolled access to use of the system and/or
system data. Strong security encompasses the idea of user authentication, encryption,
logging and auditing, and automated management and monitoring.

Wired Equivalent Privacy (WEP)

A method of encrypting data traversing the wireless network in an effort to secure
the privacy of the data itself. There are two versions of WEP: 40-bit which uses ten
hexadecimal characters and 128-bit which uses twenty-six hexadecimal characters as
the encryption key. WEP keys can also be assigned in either a static or dynamic manner.

Wireless LAN (WLAN)

An IEEE 802.11a/b/g based system consisting of Wireless User Devices and one or more
Access Points that provide wireless based Ethernet connectivity to Webster University
Public Wired Data Network

Wireless User Device

The end user system or device that accesses the WLAN for data communications purposes.
This will normally be a computer or Personal Digital Assistant containing an appropriate
wireless network interface card